HTC promises tu unlock Sensation bootloader in august, thus people can load custom rom's etc..
interesting isn't it.
would be nice to show this to Acer people.
http://www.fonehome.co.uk/2011/07/11/htc-unlocked-bootloader-release-date/
here is source.
our bootloader is unlocked it doesn't need unlocking... just has an checksum check to be sure partitions are not corrupted
The acer a500 Iconia has a locked bootloader! So this would be nice if acer followed suite!
No, iconia bootloader is not locked. It is encrypted with aes-128-cbc using Secure Boot Key. SBK cannot be changed once written by the manufacturer. Messing around with boot config table and ODM data can be dangerous and decrypting stuff manually not quite convenient.
Generally, you should not need SBK and nvflash unless you brick badly (having checksum errors on both LNX and SOS or overwriting encrypted/bootloader partitions). If you do, make sure you know the UID of your device and contact sc2k. Maybe some time later he will release and automated and safe tool to recover the device, but until then users are highly recommended not to mess with mmcblk0 and be extremely careful when writing recovery and boot images.
sp3dev said:
No, iconia bootloader is not locked. It is encrypted with aes-128-cbc using Secure Boot Key. SBK cannot be changed once written by the manufacturer. Messing around with boot config table and ODM data can be dangerous and decrypting stuff manually not quite convenient.
Generally, you should not need SBK and nvflash unless you brick badly (having checksum errors on both LNX and SOS or overwriting encrypted/bootloader partitions). If you do, make sure you know the UID of your device and contact sc2k. Maybe some time later he will release and automated and safe tool to recover the device, but until then users are highly recommended not to mess with mmcblk0 and be extremely careful when writing recovery and boot images.
Click to expand...
Click to collapse
Just putting this info out there and to add to what you had wrote about the UID...etc
when you do a NAND backup using CWM... there existed a UID.txt file that let you know what your UID is.... make sure you keep this in a safe place if you need this info later...etc
Related
The files were posted today. Remember to grab the MZ604 files if you have the Wifi only version of the Xoom.
http://developer.motorola.com/products/software/ <------ Grab the files here. The files are for the US version of the Wifi Xoom only.
Instructions to return it to stock
1) First you need the Moto Drivers - Read this thread to START you - http://forum.xda-developers.com/showthread.php?t=981578
Should have these drivers installed if you have rooted your Xoom before.
2) Make sure you have the latest SDK - adb and fastboot should be in /platform-tools - http://developer.android.com/sdk/index.html
Should have the android SDK if you have rooted your Xoom before.
3) Place all the downloaded stock image files into the SDK Tools folder.
4) If you are booting up from scratch, you can get the Xoom in fastboot mode by doing the following. Use command prompt to perform the rest of the steps
Hold VolDown and Power button will boot unit for fastboot mode
fastboot flash boot boot.img
fastboot flash system system.img
fastboot flash recovery recovery.img
fastboot flash userdata userdata.img
fastboot erase cache
fastboot oem lock
If you Xoom is booted up already follow the commands below using command prompt to perform the steps
adb reboot bootloader <---- reboots the Xoom into fastboot mode.
fastboot flash boot boot.img
fastboot flash system system.img
fastboot flash recovery recovery.img
fastboot flash userdata userdata.img
fastboot erase cache
fastboot oem lock
You noticed this too I see. Glad you posted this as a new thread. I was just randomly posting that link in threads where stock images may have helped.
I'm not home to try it yet but I'm guessing that's a US image?
Ahhhhh finally.
i just followed this process, everything worked on the xoom wifi (US), im back to stock and everything is ok so far.
but im an idiot and pressed vol up instead of down on the last step (oem lock) which aborted the oem lock step. before i did this i was rooted, so i think technically im still rooted.
can i simply go back into fastboot oem lock and try again and press the rightbutton this time to re lock the xoom or would that brick it?
ok thanks guys!
vista64 said:
i just followed this process, everything worked on the xoom wifi (US), im back to stock and everything is ok so far.
but im an idiot and pressed vol up instead of down on the last step (oem lock) which aborted the oem lock step. before i did this i was rooted, so i think technically im still rooted.
can i simply go back into fastboot oem lock and try again and press the rightbutton this time to re lock the xoom or would that brick it?
ok thanks guys!
Click to expand...
Click to collapse
If you want to be extra safe, start over from the beginning. You're probably still unlocked (but not rooted) if you managed to flash boot and system.
i have error failed to boot lnx 0x0004 - starting rsd mode 2
can i use this file ??
DinarQ8 said:
i have error failed to boot lnx 0x0004 - starting rsd mode 2
can i use this file ??
Click to expand...
Click to collapse
Only if you can get into fastboot mode AND your computer can see it. But if I recall, neither ADB, Fastboot nor RSD Lite will see your Xoom?
maybe solution i wait SBF file
Hi Scourge1024,
Are you going to try and flash the images to your Canadian Xoom AND then see if you can OEM re-lock it again??
I haven't been able to find out if all the WiFi images ie US, Canadian or European are all interchangeable on a Wifi only xoom??
I guess what I'd like to know is, if I ever wanted to re-lock my UK xoom, could I simply flash the Motorola MZ604_HWI69 files, then oem re-lock OR would have to wait for European Motorola backup files?
Cheers
Ody
what he said ^
Just tried downloading the Wi-fi files... On both my Mac and PC, it's saying it can't extract the ZIP. Crap crap crap crap crap...
If i remember correctly, scourge said that both devices are exactly the same hardware. Therefore flashing either version's set of images is irrelevant as long as you do WIFI for that model and 3G for that one.
odyseus said:
Hi Scourge1024,
Are you going to try and flash the images to your Canadian Xoom AND then see if you can OEM re-lock it again??
I haven't been able to find out if all the WiFi images ie US, Canadian or European are all interchangeable on a Wifi only xoom??
I guess what I'd like to know is, if I ever wanted to re-lock my UK xoom, could I simply flash the Motorola MZ604_HWI69 files, then oem re-lock OR would have to wait for European Motorola backup files?
Cheers
Ody
Click to expand...
Click to collapse
Nope. I'm done being the guinea pig (with the OEM locking). I bricked my first Xoom trying to OEM lock it. I managed to lock it a few times. Then I tried a different boot.img and bricked...
Personally, I have no issues flashing the US image on. It's just the re-locking. There's really no point to relock it. The Americans with the 3G/4G Verizon ones had to be able to relock for a hardware upgrade. I have managed to flash US images onto my Xoom but they were extracted by BeagleBoy here. I posted a comparison here: http://forum.xda-developers.com/showthread.php?p=13070124
The software is interchangable between the MZ604 Xoom models (Wi-fi only). There are a bunch of other Brits using the Canadian images I extracted from me and my friend's XOOMs. I've used the US ones. You just need to do a "fastboot -w" after flashing both the system and boot images because going between versions sometimes requires userdata to be wiped.
Scourge1024 said:
Just tried downloading the Wi-fi files... On both my Mac and PC, it's saying it can't extract the ZIP. Crap crap crap crap crap...
Click to expand...
Click to collapse
FYI,
$ md5sum MZ604_HWI69.zip
ae9b9f5693c4b49c745cb017afe1a4b5 MZ604_HWI69.zip
$ unzip -t MZ604_HWI69.zip
Archive: MZ604_HWI69.zip
warning [MZ604_HWI69.zip]: 36325409 extra bytes at beginning or within zipfile
(attempting to process anyway)
testing: MZ604_HWI69/boot.img OK
testing: MZ604_HWI69/recovery.img OK
testing: MZ604_HWI69/system.img OK
testing: MZ604_HWI69/userdata.img OK
No errors detected in compressed data of MZ604_HWI69.zip
You might be OK if you can get something that'll handle errors better.
In Windows, WinRar worked. On my Mac, I did what you posted and well, it seemed to work. I also did a compare against BeagleBoy's ripped images and boot was perfect. System was 1 byte off. Maybe a counter for the file system being mounted?
Code:
mac-mini:mz604_img Howard$ md5 MZ604_HWI69.zip
MD5 (MZ604_HWI69.zip) = ae9b9f5693c4b49c745cb017afe1a4b5
mac-mini:mz604_img Howard$ unzip -t MZ604_HWI69.zip
Archive: MZ604_HWI69.zip
warning [MZ604_HWI69.zip]: 36325409 extra bytes at beginning or within zipfile
(attempting to process anyway)
testing: MZ604_HWI69/boot.img OK
testing: MZ604_HWI69/recovery.img OK
testing: MZ604_HWI69/system.img OK
testing: MZ604_HWI69/userdata.img OK
No errors detected in compressed data of MZ604_HWI69.zip.
mac-mini:mz604_img Howard$
Scourge1024 said:
In Windows, WinRar worked. On my Mac, I did what you posted and well, it seemed to work. I also did a compare against BeagleBoy's ripped images and boot was perfect. System was 1 byte off. Maybe a counter for the file system being mounted?
Click to expand...
Click to collapse
Yep, IIRC, ext maintains a mount count. One'd need some file system tools to properly verify.
Can someone post a walk through on how to do this?
pricej636 said:
Can someone post a walk through on how to do this?
Click to expand...
Click to collapse
from the op:
Instructions to return it to stock
fastboot flash boot boot.img
fastboot flash system system.img
fastboot flash recovery recovery.img
fastboot flash userdata userdata.img
fastboot erase cache
fastboot oem lock
Scourge1024 said:
Nope. I'm done being the guinea pig (with the OEM locking). I bricked my first Xoom trying to OEM lock it. I managed to lock it a few times. Then I tried a different boot.img and bricked...
Personally, I have no issues flashing the US image on. It's just the re-locking. There's really no point to relock it. The Americans with the 3G/4G Verizon ones had to be able to relock for a hardware upgrade. I have managed to flash US images onto my Xoom but they were extracted by BeagleBoy here. I posted a comparison here: http://forum.xda-developers.com/showthread.php?p=13070124
The software is interchangable between the MZ604 Xoom models (Wi-fi only). There are a bunch of other Brits using the Canadian images I extracted from me and my friend's XOOMs. I've used the US ones. You just need to do a "fastboot -w" after flashing both the system and boot images because going between versions sometimes requires userdata to be wiped.
Click to expand...
Click to collapse
Fair do's - I don't blame you! You've done enough As you say why re-lock on WiFi?
What I would really like to do is flash all the images to my UK WiFi Xoom and then try to install Bignadad's BigDX Xoom|Zoom Theme..
Previously flashing this theme soft-bricked my UK xoom - got loads of Force Closures. Installing the extracted images from you, still caused the same problem. Maybe it only works on the US WiFi Xoom, but I might re-flash with 'stock' ROM to see if that makes any difference? (I do have CWM nandroid backups in case of another soft brick!)
Cheers
Ody
Is there a risk with using these cause of zip extra bytes warning?
. .
is there any way to flash a bootloader for example the testpoint? would be funny to build it from source
. .
munjeni said:
There is no source for our bootloaders! I not tried to flash bootloader but I think its posible using dd since I know ta flashing is possible with dd so I think bootloader is possible too. I do not know if there is a hach check for bootloader partition (case if we flash cracked bootloader) but I will see very soon! In case, if there is no hash check and or if we are able to flash cracked bootloader, than we can bypass security check by cracking bootloader!
I wanted to mmap 0x80110000 memory and see what I can see there... but seems we can not open them? Since:
Do you have idea how we can read them?
Click to expand...
Click to collapse
sorry i don't know much about that..
can't we build a lk bootloader modified for our device?
munjeni said:
There is no source for our bootloaders! I not tried to flash bootloader but I think its posible using dd since I know ta flashing is possible with dd so I think bootloader is possible too. I do not know if there is a hach check for bootloader partition (case if we flash cracked bootloader) but I will see very soon! In case, if there is no hash check and or if we are able to flash cracked bootloader, than we can bypass security check by cracking bootloader!
Click to expand...
Click to collapse
I would be very surprised if there's no signature-check for the bootloader partition, even the original (first) iPhone had a signature-check for the user-modifiable bootloader.
Perhaps a BROWN device (in SonyEricsson terms) would not have a check, but a retail device sure will.
CoolDevelopment said:
sorry i don't know much about that..
can't we build a lk bootloader modified for our device?
Click to expand...
Click to collapse
I am not sure since our phone use aboot. Did you found here on xda that somebody had luck with lk and xperia device? I not searched but maybe somebody had luck?
. .
Will have a look at it later
The qualcomm boot chain verifies each part with a signature. I think what you modified is not part of the data which is used for calculating the signature.
There was a exploit in lk which allowed overwriting the signature check in lk with a modified ramdisk offset in the kernel (this allowed booting custom kernels with locked bootloader). But this exploit is patched now (you can see in lk, it checks ramdisk offset now) (see also http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html )
. .
. .
munjeni said:
We have runing ABOOT and not LK ! Every part of an binary is part of binary! In our way s1sbl is not signature checked! I think we are ready for cracking s1sbl!
Click to expand...
Click to collapse
ABOOT is a modified LK very close to source. Try modifing actual code of the bootloader binary first. I'm still pretty sure it's signature checked.
The boot files from the firmware are only flashed if the version is different. Each configuration is read and the phone checks the 'ATTRIBUTES VALUE'. If the attributes on the phone matches the attributes in the configuration, the files from the said configuration are flashed.
For example OTP_LOCK_STATUS you can find in service menu under Service tests => Security.
Bad thing I have no flash mode and no fastboot
. .
Try flashing different commercial files and see which one lets you use fastboot and flashmode
Another thing which could be possible with a modified bootloader is using the fotakernel partition as our recovery, that would be great
. .
this might be interesting: http://forum.xda-developers.com/showthread.php?t=2147997
and after reading through the lk bootloader source it seems aboot is included in lk
Flashed now 007B30E1 comercial version (have biger size) and its boot but no flashmode, seems we need to flash booth files provided in xml file for every configuration for getting fastboot and flashmode active.
Strange thing:
dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/s1sbl
WTF not bricked? There is another partition similar with s1sbl with name alt_s1sbl (alternate partition), seems these partition is used if s1sbl partition is broken?
munjeni said:
On HTC phones you have right, but seems you are wrong for xperia! I have flashed it using DD command and its persistent!
Click to expand...
Click to collapse
Yes, of course.. I am talking about official firmware upgrade procedure.
The way to get rid of the warning caused by unlocking the bootloader on other phones would be to flash the proper bootloader logo in fastboot using:
Code:
fastboot flash logo logo.bin
This is how I did it on my old LG Nexus 5X.
Does anyone have the correct logo for the V20? Has anyone tried this on the V20?
It's not a logo file. It's located in aboot and you can't change it.
androiddiego said:
It's not a logo file. It's located in aboot and you can't change it.
Click to expand...
Click to collapse
That wasn't true on the 5X: https://forum.xda-developers.com/ne...-change-bootlogo-images-imgdata-tool-t3240052
Are you positive that it's different now?
Sizzlechest said:
That wasn't true on the 5X: https://forum.xda-developers.com/ne...-change-bootlogo-images-imgdata-tool-t3240052
Are you positive that it's different now?
Click to expand...
Click to collapse
Here is the tool that might be useful to search for and dump the relevant partition, mount it and investigate the source of the picture and text warning:
Partitions Backup & Restore
https://play.google.com/store/apps/details?id=ma.wanam.partitions
In the best case scenario, even use reverse engineering to skip the warning and its delay altogether, anyone?
Or is aboot non-writable?
You modify aboot in any way / shape / or form, and you better open a ticket with LG. When you unlock your bootloader, that stops aboot from verifying the signature of boot, laf, and recovery. XBL still very much does verification of all the other pieces of firmware. One of the first things it checks is the signature of aboot. If aboot has been modified, or wasn't signed with the same RSA cert that matches the RSA key that is in your model's QFPROM, then the phone goes into 9008 mode. At this time, there is no fixing that -- except sending it back to LG (and there may never be now that LG uses UFS nand in their phones).
-- Brian
I've personally looked into this and looks like it can't be changed.
I'm pretty sure the images is in the *raw_resources* partition. Look here.
It must be very hard to modify though considering LG use it for (all?) many models, since I've only found a single development thread for it, and as you'll see that didn't go very far.
@askermk2000 You are correct. Every single boot, charging, download mode, etc image is on that partition, and it isn't signed / checked, so modify away with no risk of bricking your phone.
There is an index with offsets for each image, but the format of the images isn't immediately obvious.
-- Brian
runningnak3d said:
@askermk2000 You are correct. Every single boot, charging, download mode, etc image is on that partition, and it isn't signed / checked, so modify away with no risk of bricking your phone.
There is an index with offsets for each image, but the format of the images isn't immediately obvious.
-- Brian
Click to expand...
Click to collapse
so it is indeed possible to change the unlocked bootloader warning?
Security wise, there is no reason that you can't change them. It looks like LG is using RLE encoding, so finding the start and end of an image is going to be interesting. There are offsets in the index, but they don't seem to align.
Also, while I don't think having a corrupt raw_resources partition would give you a 9008 brick, you might want to have a backup ready to flash if you decide to modify it. But, (and there is always a but), since aboot loads this, if aboot pukes and doesn't load, that WILL give you a 9008 brick.
If I were you, I would buy a used V10 off of eBay, and test on that since you can recover from a 9008 with an SD card.
-- Brian
I tried a bunch of things in an attempt to root AT&T's LG K20 (the LGM255), to no avail.
After unlocking bootloader (so says in the options, I don't think it actually did), I tried fiddling with Lekensteyn's LGLAF tool and various forks of it by steadfasterX and others. Tried pushing a TWRP image I made after being able to extract boot/recovery images using the aforementioned tool. LAF did not pushing that image but was fine with deleting partitions from the phone.
I took the risk of deleting the LAF partition in order to get access to fastboot. While it did, just my luck, the lk variant of fastboot on the phone is stripped of essentially all functionally except for get-var and devices. Meaning I cannot flash anything, or modify any variables.
Have no means to restore the LAF partition (well, there is one way I know of possibly, but want to save it as a last resort cause the probability it would work is low and risks bricking completely).
Now there is an lafbak partition, but cant do anything with it.
Theres some background, but here is my real question:
If I were to accept an FOTA update from AT&T, although it would update the firmware to a new version, would it restore or possibly flash a new LAF partition so that I could go into its LAF/Factory Reset mode again?
Hiya guys!
So, I've been plucking away at trial and error with my G6 (H873 Canadian) now that I have edl to fall back to and by using qdloader flashes to write my nand I have written my device with a hybrid of the pie beta 29a and an unlocked us997 aboot. after modifying the devinfo partition... my magisk modified boot image gets me as far as my lockscreen. I can login but my background is black. if I open magisk manager it shows it as installed but then crashes seconds later. ideas? I have very minimal knowledge of the partition structure and the chain of trust for this device and I am absolutely sure it's my mistake so maybe someone who is kind enough and has the time could explain a bit more to me about the inner workings of this mishmash bootup and possibly help me fix it to remain booted? Preferrable if I don't have to downgrade by the way pie has saved this device performance wise.
After more screwing about I somehow relocked the bootloader and the key that worked before is now rejected. Any help?
No further luck but it doesn't matter. the boot loops have stopped and my changes are intact. h873 running dual speaker mod and adblocking hosts file. root, however, is not still functioning and my attempted viper4android install is in some weird instant reboot to bootloader limbo.
If I can do it by simply ****ing around I'm confident someone can do more than me with enough time and knowledge. I'm not giving up either. I just honestly don't know what I'm doing. I do caution anyone who messes with this sort of stuff to dump a full partition level backup of your phone. I know I nearly lost my misc partition (imei won't work right without it) and was saved by an earlier dump in my preliminary testing
H873: Question what aboot did you use and how did you modify the devinfo partition? Ive literally been working on the aboot in Ghidra for 5 weeks, I have root in system with a modified su98, system is not currently mountable because it is not referenced in /proc/mounts . From what I can gather the devinfo must have 0x2 at both 0x10 and 0xe0 while both are equal to 2 and device reset is called the unlock bit in rpmb is equal to Y else it is N then it will erase unlock key from rpmb. Also im not afraid of bricking I have been in edl mode well over 50 times and have explored every single partition on this thing. I have the aboot for US997 unlocked variant and the files from runningnak3d's AFH. The fastboot portion of the aboot when looking at the de-compiled code in Ghidra is extremely small and strict.